<html>
<head><meta charset="utf-8"><title>Possible advisory · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Possible.20advisory.html">Possible advisory</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="210235918"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Possible%20advisory/near/210235918" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jacob Pratt <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Possible.20advisory.html#210235918">(Sep 16 2020 at 08:50)</a>:</h4>
<p>Hello. An email I tried to send to the Google group and it rejected the email, so here I am! I was basically wondering if <a href="https://github.com/time-rs/time/issues/276">https://github.com/time-rs/time/issues/276</a> would qualify for an advisory, given the possibility of an unexpected panic on what should be a valid parameter value. An incorrect value may also be returned. As indicated in the issue, the implications are quite far reaching due to the reliance of this method for arithmetic purposes. One thing to note is that this only affects dates before ~4714 BCE, so it's not like web servers handling HTTP headers will ever run into this.</p>



<a name="210235998"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Possible%20advisory/near/210235998" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jacob Pratt <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Possible.20advisory.html#210235998">(Sep 16 2020 at 08:51)</a>:</h4>
<p>In case I forget to check back, feel free to leave a message on that issue. Notifications from Zulip don't work for whatever reason.</p>



<a name="210271573"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Possible%20advisory/near/210271573" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Possible.20advisory.html#210271573">(Sep 16 2020 at 14:41)</a>:</h4>
<p>I understand this only results in integer overflow, right? In this case there would not be a panic in release mode, just silent overflow. Either way panics are usually not considered security issues unless the crate explicitly guarantees absence of panics.</p>



<a name="210284210"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Possible%20advisory/near/210284210" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jacob Pratt <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Possible.20advisory.html#210284210">(Sep 16 2020 at 16:07)</a>:</h4>
<p>It results in an explicit panic due to the calculation of an invalid year-month-day combo, not just an integer overflow. While the crate doesn't explicitly guarantee the lack of panics, I'm pretty sure most people would be extremely surprised if they had an <code>OffsetDateTime</code>, added a <code>Duration</code> of no length, and got a panic.</p>



<a name="210300225"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Possible%20advisory/near/210300225" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> scottmcm <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Possible.20advisory.html#210300225">(Sep 16 2020 at 18:18)</a>:</h4>
<p>I think that, in general, DoS possibilities (like unexpected panics or infinite loops) are considered as bugs, not security issues, from the PoV of this.  Otherwise even completely-sound code could get advisories (like anything doing default panic-on-out-of-bounds indexing), which is probably too big a problem to tackle.</p>



<a name="210300320"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Possible%20advisory/near/210300320" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> scottmcm <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Possible.20advisory.html#210300320">(Sep 16 2020 at 18:19)</a>:</h4>
<p>So to me that's clearly a bug, but not a security issue -- the most secure possible service is one that always panics immediately and thus never has a chance to do anything :P</p>



<a name="210315527"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Possible%20advisory/near/210315527" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> cuviper <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Possible.20advisory.html#210315527">(Sep 16 2020 at 20:22)</a>:</h4>
<p>/me awaits the service that manages to break the panic path into something nasty...</p>



<a name="210316793"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Possible%20advisory/near/210316793" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jacob Pratt <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Possible.20advisory.html#210316793">(Sep 16 2020 at 20:32)</a>:</h4>
<p>Sounds good! I didn't think it would fall under this, but it's worth checking and playing Devil's advocate. Thanks everyone.</p>



<a name="210317483"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Possible%20advisory/near/210317483" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Possible.20advisory.html#210317483">(Sep 16 2020 at 20:38)</a>:</h4>
<p><span class="user-mention" data-user-id="138448">@cuviper</span> this is only exploitable on panic: <a href="https://rustsec.org/advisories/RUSTSEC-2019-0010.html">https://rustsec.org/advisories/RUSTSEC-2019-0010.html</a><br>
So you can in fact use panics to reach unsound but otherwise not exploitable code. Although the same can be said about anything that alters control flow.</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>